Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Storing credit card numbers on hosted website.

Reply
Thread Tools

Storing credit card numbers on hosted website.

 
 
John
Guest
Posts: n/a
 
      12-15-2004
Hi,

I've always had the opinion that you don't store credit card numbers on a
hosted website database. But it has occurred to me, that perhaps I am over
reacting, and encrypted CC info may be ok. Now I know basic encryption, but
am not confident that I know what I don't know .. you know.

Basically, am I over reacting? Is the risk level acceptable if you store
encrypted CC numbers or not?

Thanks in advance.



 
Reply With Quote
 
 
 
 
=?Utf-8?B?Q2hyaXMgUG9kbW9yZQ==?=
Guest
Posts: n/a
 
      12-15-2004
John,

It's also my opinion that you don't store credit card numbers. Our smart
client software can take payment via credit card but we do not store the
credit card number.

Unfortunately the person who knows all the legal bits is off until the new
year so I can't ask him but I think he got most of his information from the
data protection act.

Not much help I know, sorry.
Chris.

"John" wrote:

> Hi,
>
> I've always had the opinion that you don't store credit card numbers on a
> hosted website database. But it has occurred to me, that perhaps I am over
> reacting, and encrypted CC info may be ok. Now I know basic encryption, but
> am not confident that I know what I don't know .. you know.
>
> Basically, am I over reacting? Is the risk level acceptable if you store
> encrypted CC numbers or not?
>
> Thanks in advance.
>
>
>
>

 
Reply With Quote
 
 
 
 
John
Guest
Posts: n/a
 
      12-15-2004
Thanks Chris,

Maybe I will repost this in January. I'm very curious to know.

Regards,
John


"Chris Podmore" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> John,
>
> It's also my opinion that you don't store credit card numbers. Our smart
> client software can take payment via credit card but we do not store the
> credit card number.
>
> Unfortunately the person who knows all the legal bits is off until the new
> year so I can't ask him but I think he got most of his information from
> the
> data protection act.
>
> Not much help I know, sorry.
> Chris.
>
> "John" wrote:
>
>> Hi,
>>
>> I've always had the opinion that you don't store credit card numbers on a
>> hosted website database. But it has occurred to me, that perhaps I am
>> over
>> reacting, and encrypted CC info may be ok. Now I know basic encryption,
>> but
>> am not confident that I know what I don't know .. you know.
>>
>> Basically, am I over reacting? Is the risk level acceptable if you store
>> encrypted CC numbers or not?
>>
>> Thanks in advance.
>>
>>
>>
>>



 
Reply With Quote
 
Scott Allen
Guest
Posts: n/a
 
      12-15-2004
It's almost impossible to keep them secure even if they are encrypted,
because somone else has total control over the machine. Encryption
makes it difficult - but where would you store the key to decrpyt the
numbers?

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Wed, 15 Dec 2004 10:51:52 -0500, "John" <(E-Mail Removed)>
wrote:

>Thanks Chris,
>
>Maybe I will repost this in January. I'm very curious to know.
>
>Regards,
>John
>
>
>"Chris Podmore" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> John,
>>
>> It's also my opinion that you don't store credit card numbers. Our smart
>> client software can take payment via credit card but we do not store the
>> credit card number.
>>
>> Unfortunately the person who knows all the legal bits is off until the new
>> year so I can't ask him but I think he got most of his information from
>> the
>> data protection act.
>>
>> Not much help I know, sorry.
>> Chris.
>>
>> "John" wrote:
>>
>>> Hi,
>>>
>>> I've always had the opinion that you don't store credit card numbers on a
>>> hosted website database. But it has occurred to me, that perhaps I am
>>> over
>>> reacting, and encrypted CC info may be ok. Now I know basic encryption,
>>> but
>>> am not confident that I know what I don't know .. you know.
>>>
>>> Basically, am I over reacting? Is the risk level acceptable if you store
>>> encrypted CC numbers or not?
>>>
>>> Thanks in advance.
>>>
>>>
>>>
>>>

>


 
Reply With Quote
 
John
Guest
Posts: n/a
 
      12-15-2004
"Scott Allen" <bitmask@[nospam].fred.net> wrote in message
news:(E-Mail Removed)...
> It's almost impossible to keep them secure even if they are encrypted,
> because somone else has total control over the machine. Encryption
> makes it difficult - but where would you store the key to decrpyt the
> numbers?


I was thinking the key to decrypt would have to be entered by the user. It
couldn't be stored. So basically, if you wanted to have an automatic
monthly payment, somebody would need to go to the "processing" page, enter
the key, and let the page run through all the charge transactions.

Actually, another thing I was thinking; if you use SSL, that only secures
the connection during transfer right? So the server has unsecure access ...
but this would mean an unscrupulous hosting company or employee could be
logging CC info anyway. Actually, would that information be logged
somewhere on the server by default?

Is that correct? If so, ecommerce /w a web-host is inherintly unsafe.

The more I think about this better idea I think a 3rd party processing
company is.

Regards,
John


 
Reply With Quote
 
Scott Allen
Guest
Posts: n/a
 
      12-15-2004
>Is that correct? If so, ecommerce /w a web-host is inherintly unsafe.

I'd think so. They have physical access to the machine and the network
- so anything can happen.

If the host has been around for some time and has built up a
reputation, it might be a different case. Someone could arguably build
a case where a host could be more secure than self hosting (their
employees have extensive background checks, they are audited, they
have servers in a bunker under the mountain, etc).

--
Scott
http://www.OdeToCode.com/blogs/scott/


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
storing credit card information yawnmoth Computer Security 0 07-02-2008 06:01 PM
Get Valid Credit Card Numbers Hacker11 Computer Support 19 06-19-2008 04:08 AM
Virus "Key Logger" after Credit Card Numbers, etc. Brad Petria Computer Security 1 02-03-2004 10:03 PM
Re: Credit Card Numbers - vulnerable while you surf? Dougie Roberts Computer Security 3 08-22-2003 06:48 AM



Advertisments